Security – Vulnerability Disclosure

Purpose
GRIN Is committed to maintaining the security of our networks and protecting our customers’ data. The security researcher community regularly makes valuable contributions to the security of organizations and the broader internet, and GRIN recognizes that fostering a close relationship with the community will help improve our own security. GRIN accepts and acts on vulnerabilities discovered by security researchers.

Scope
GRIN has set the following boundaries for security testing. In scope is the following websites.

  1. https://grin.co/
  2. https://app.grin.co/

Out of Scope
While we encourage you to discover and report to us any vulnerabilities you find in a responsible manner, the following conduct is expressly prohibited:

  1. Performing actions that may negatively affect GRIN or its users (e.g., Spam, Brute Force, Denial of Service…)
  2. Accessing, or attempting to access, data or information that does not belong to you
  3. Destroying or corrupting, or attempting to destroy or corrupt, data or information that does not belong to you
  4. Conducting any kind of physical or electronic attack on GRIN personnel, property or data centers
  5. Social engineering any GRIN employee or contractor
  6. Conduct vulnerability testing of participating services using anything other than test accounts
  7. Violating any laws or breaching any agreements in order to discover
  8. vulnerabilities

Safe Harbor
GRIN pledges not to initiate legal action against researchers for penetrating or attempting to penetrate our systems as long as the security researcher adheres to this policy.

Process
In order to submit a vulnerability report to GRIN’s Security Team, please utilize the OWASP Vulnerability Disclosure Cheat Sheet. GRIN has set the following criteria for vulnerability reports.

  1. Well-written reports in English will have a higher chance of being accepted.
  2. Reports that include proof of concept code will be more likely to be accepted.
  3. Reports that include only crash dumps or other automated tool output will most likely not be accepted.
  4. Reports that include out of scope sites will be ignored.
  5. Include how you found the bug, the impact, and any potential remediation.
  6. Send email to security@grin.co and include any plans for public disclosure.

What you can expect from us:

  1. A timely response to your email (within 2 business days).
  2. An open dialog to discuss issues.
  3. Notification when the vulnerability analysis has completed each stage of our review.
  4. An expected timeline for patches and fixes (usually within 120 days).
  5. Credit after the vulnerability has been validated and fixed.

If you suspect that AWS resources (such as an EC2 instance or S3 bucket) are being used for suspicious activity, you can report it to the AWS Abuse Team.

Public Notification
If applicable, GRIN will coordinate public notification of a validated vulnerability with you.

When possible, we would prefer that our respective public disclosures be posted simultaneously.

In order to protect our customers, GRIN requests that you not post or share any information about a potential vulnerability in any public setting until we have researched, responded to, and addressed the reported vulnerability and informed customers if needed.